Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

[Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>]

[-- Attachment #1: Type: text/plain, Size: 3745 bytes --]

On Tue, Aug 30, 2016 at 02:06:53PM +0000, Daniel Jurgens wrote:
> On 8/30/2016 8:53 AM, Paul Moore wrote:
> > On Tue, Aug 30, 2016 at 3:46 AM, Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> >> On Mon, Aug 29, 2016 at 08:00:32PM -0400, Paul Moore wrote:
> >>> On Mon, Aug 29, 2016 at 5:48 PM, Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> wrote:
> >>>> On 8/29/2016 4:40 PM, Paul Moore wrote:
> >>>>> On Fri, Jul 29, 2016 at 9:53 AM, Dan Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> wrote:
> >>>>>> From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> >>>>> ...
> >>>>>
> >>>>>> Daniel Jurgens (9):
> >>>>>>   IB/core: IB cache enhancements to support Infiniband security
> >>>>>>   IB/core: Enforce PKey security on QPs
> >>>>>>   selinux lsm IB/core: Implement LSM notification system
> >>>>>>   IB/core: Enforce security on management datagrams
> >>>>>>   selinux: Create policydb version for Infiniband support
> >>>>>>   selinux: Allocate and free infiniband security hooks
> >>>>>>   selinux: Implement Infiniband PKey "Access" access vector
> >>>>>>   selinux: Add IB Port SMP access vector
> >>>>>>   selinux: Add a cache for quicker retreival of PKey SIDs
> >>>>> Hi Daniel,
> >>>>>
> >>>>> My apologies for such a long delay in responding to this latest
> >>>>> patchset; conferences, travel, and vacation have made for a very busy
> >>>>> August.  After you posted the v2 patchset we had an off-list
> >>>>> discussion regarding testing the SELinux/IB integration; unfortunately
> >>>>> we realized that IB hardware would be needed to test this (no IB
> >>>>> loopback device), but we agreed that having tests would be beneficial.
> >>>>>
> >>>>> Have you done any work yet towards adding SELinux/IB tests to the
> >>>>> selinux-testsuite project?
> >>>>>
> >>>>> * https://github.com/SELinuxProject/selinux-testsuite
> >>>> Hi Paul, I've not started doing that yet.  I've been waiting for feedback of any kind from the RDMA list.  I thought the test updates would be more appropriate around the time I'm submitting the changes to the user space utilities to allow labeling the new types.
> >>> Okay, no problem.  I just want the tests in place and functional when
> >>> we merge the kernel code.
> >> Hi Paul,
> >>
> >> IMHO, you can use Soft RoCE (RXE) [1] for it.
> >>
> >> ----
> >> Soft RoCE (RXE) - The software RoCE driver
> >>
> >> ib_rxe implements the RDMA transport and registers to the RDMA core
> >> device as a kernel verbs provider. It also implements the packet IO
> >> layer. On the other hand ib_rxe registers to the Linux netdev stack
> >> as a udp encapsulating protocol, in that case RDMA, for sending and
> >> receiving packets over any Ethernet device.  This yields a RDMA
> >> transport over the UDP/Ethernet network layer forming a RoCEv2
> >> compatible device.
> >>
> >> The configuration procedure of the Soft RoCE drivers requires
> >> binding to any existing Ethernet network device. This is done with
> >> /sys interface.
> >> ----
> >>
> >> [1]
> >> https://git.kernel.org/cgit/linux/kernel/git/dledford/rdma.git/tree/drivers/infiniband/sw/rxe
> > Hi Leon,
> >
> > It looks like v4.8 will have all the necessary pieces for this, yes?
> > Is there any documentation on this other than the git log?  Keep in
> > mind I'm looking at this from the SELinux side, I'm very Infiniband
> > ignorant at the moment; although Daniel has been very patient in
> > walking me through some of the basics.
> >
> > Daniel, does this look like something we might be able to use?
> >
> I don't this will be useful, RoCE doesn't have partitions/PKeys because it uses Ethernet as the transport instead of Infiniband.
>

Yeah, sorry for the noise.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]